Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 11 - 17 November
Microsoft November Patch Tuesday
Microsoft has released Patch Tuesday updates for the month of November patching a total of 63 vulnerabilities. Among the patched flaws are five 0-days, three of which are being actively exploited. Specifically, these vulnerabilities are the ones registered as CVE-2023-36025, CVSS 8.8 according to the manufacturer, which is an actively exploited Windows SmartScreen flaw that allows a malicious Internet shortcut to bypass security controls and warnings.
According to the vendor, CVE-2023-36033, CVSS 7.8, could allow elevation of privileges in the Windows DWM main library. And finally, CVE-2023-36036, CVSS 7.8 according to manufacturer, which, as in the previous case, its exploitation could lead to elevation of privileges on files in the Windows cloud.
It should be noted that among all the vulnerabilities, only one has been considered as critical, CVE-2023-36397, CVSS 9.8, which consists of exploiting this vulnerability in Windows Pragmatic General Multicast (PGM) by sending a specially crafted file over the network, which could allow remote malicious code to be executed.
New Critical Unpatched Vulnerability in VMware
VMware has issued an advisory reporting an unpatched critical vulnerability affecting Cloud Director appliance deployments. The flaw, which has been named CVE-2023-34060, is an authentication bypass type and can be exploited by remote unauthenticated attackers through uncomplicated attacks that do not require user interaction.
The company notes that the vulnerability only affects devices running VCD Appliance 10.5 that have been upgraded from a previous version, so devices that have recently installed VCD Appliance 10.5 or are Linux deployments are not affected. There is no patch released for this bug, but VMware has provided users with a mitigation that involves downloading a custom script as a workaround.
CISA warns of Rhysida ransomware attacks
CISA, the FBI, and MS-ISAC have issued a joint warning about Rhysida ransomware attacks, which has affected a variety of organizations since its emergence in May 2023. The victims specifically cluster in sectors such as education, healthcare, manufacturing, technology and government, operating under the ransomware-as-a-service (RaaS) model.
The advisory highlights that the threat actors compromise victim organizations through phishing attacks, exploiting the vulnerability known as Zerologon, , CVE-2020-1472 CVSS 10.0, and exploiting remote services, such as VPN, through the use of stolen credentials, especially in environments without enabled multi-factor authentication; and thus establish initial access and maintain a presence within the victims' networks. It also warns that affiliates of the Vice Society group are now deploying Rhysida payloads.
Organizations are urged to apply the mitigation measures described in the security advisory, including vulnerability remediation, MFA activation and network segmentation to prevent lateral movement. Indicators of compromise, detection information and TTPs discovered during investigations are also provided.
Effluence: backdoor against Atlassian Confluence assets
Aon's team of researchers has identified a backdoor used by malicious actors called Effluence that is implemented by exploiting a vulnerability in Atlassian Confluence. The security flaw exploited to distribute this malware is registered as CVE-2023-22515, CVSSv3 of 9.8, which is a critical bug in Atlassian that could be exploited to create unauthorized Confluence administrator accounts and gain access to Confluence servers.
If the vulnerability is exploited, Effluence generates persistence and is not fixed by applying security patches, giving malicious actors the ability to perform lateral network movement and leak Confluence data. Attackers can access the backdoor remotely without authenticating to Confluence.
Finally, it should be noted that, based on these facts, Atlassian has disclosed a second critical vulnerability, registered as CVE-2023-22518, CVSSv3 of 9.8, which can be exploited, concatenated with the previous one, to set up an administrator account, resulting in loss of confidentiality, integrity and availability of data.
CISA warns about Scattered Spider threat actor
CISA and the FBI have issued a joint warning about the Scattered Spider group, also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra, collaborating with the BlackCat/ALPHV ransomware operation.
Reportedly, contrary to the perception of being a cohesive gang, Scattered Spider is a network of individuals, which complicates tracking. The gang uses social engineering tactics, phishing and MFA fatigue attacks to gain initial access to victims' corporate networks. After infiltrating, they employ various public software tools for reconnaissance and lateral movement. They also perform phishing attacks to install malware such as WarZone RAT and Raccoon Stealer.
They have also recently adopted data exfiltration and file encryption with BlackCat/ALPHV ransomware, applying double extortion. Scattered Spider shows particular interest in valuable assets such as code repositories and signing certificates; and they also closely monitor victims' communication channels.
The CISA advisory includes a series of specific recommendations to implement against this threat, and also recommends validating security controls with the MITRE techniques described therein.
